rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2024-11-15 05:13:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

ns: switch to hidden primary model

Browse source
This commit is contained in:
Rouven Seifert 2024-03-10 20:51:05 +01:00
parent 9e01a0bc04
commit c877f4be7f
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09
1 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
hosts/falkenstein/modules/dns/default.nix
View file

@ -1,5 +1,6 @@
{ pkgs, config, ... }: { pkgs, config, ... }:
let let
secondary = "185.181.104.96";
zonefile = pkgs.writeText "rfive.de.zone.txt" '' zonefile = pkgs.writeText "rfive.de.zone.txt" ''
$TTL 3600 $TTL 3600
$ORIGIN rfive.de. $ORIGIN rfive.de.
@ -56,10 +57,10 @@ in
"rfive.de" = { "rfive.de" = {
master = true; master = true;
slaves = [ slaves = [
"185.181.104.96" secondary
]; ];
extraConfig = '' extraConfig = ''
also-notify {185.181.104.96;}; also-notify {${secondary};};
dnssec-policy default; dnssec-policy default;
inline-signing yes; inline-signing yes;
serial-update-method date; serial-update-method date;
@ -72,6 +73,8 @@ in
# copy the file manually to its destination since signing requires a writable directory # copy the file manually to its destination since signing requires a writable directory
${pkgs.coreutils}/bin/cp ${zonefile} ${config.services.bind.directory}/rfive.de.zone.txt ${pkgs.coreutils}/bin/cp ${zonefile} ${config.services.bind.directory}/rfive.de.zone.txt
''; '';
networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.extraInputRules = ''
networking.firewall.allowedTCPPorts = [ 53 ]; ip saddr ${secondary}/32 tcp dport 53 accept comment "Allow DNS AXFR access from INWX Servers"
ip saddr ${secondary}/32 udp dport 53 accept comment "Allow DNS access from INWX Servers"
'';
} }